Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

Fri Jan 18 17:20:19 UTC 2013

On 1/17/13 6:21 PM, "William Herrin" <bill at herrin.us> wrote:

>On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard <Lee at asgard.org> wrote:
>> On 1/17/13 9:54 AM, "William Herrin" <bill at herrin.us> wrote:
>>>On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vives at gmail.com> wrote:
>>>> The people on this list have a influence in how the Internet run, hope
>>>> somebody smart can figure how we can avoid going there, because there
>>>> is frustrating and unfun.
>>>
>>>"Free network-based firewall to be installed next month. OPT OUT HERE
>>>if you don't want it."
>>
>> I haven't heard anyone talking about carrier-grade firewalls.  To make
>>CGN
>> work a little, you have to enable full-cone NAT, which means as long as
>> you're connected to anything on IPv4, anyone can reach you (and for a
>> timeout period after that).  And most CGN wireline deployments will have
>> some kind of bulk port assignment, so the same ports always go to the
>>same
>> users.  NAT != security, and if you try to make it, you will lose more
>> customers than I predicted.
>
>Hi Lee,
>
>Then it's a firewall that mildly enhances protection by obstructing
>90% of the port scanning attacks which happen against your computer.
>It's a free country so you're welcome to believe that the presence or
>absence of NAT has no impact on the probability of a given machine
>being compromised. Of course, you're also welcome to join the flat
>earth society. As for me, the causative relationship between the rise
>of the "DSL router" implementing negligible security except NAT and
>the fall of port scanning as a credible attack vector seems blatant
>enough.

CGNs are not identical to home NAT functionality.  Home NATs are
frequently restricted cone NATs, which is why uPNP or manual
port-forwarding are required.  CGNs for residential deployments are full
cone NATs, so that this problematic applications are less problematic.
See http://en.wikipedia.org/wiki/Network_address_translation  and
draft-donley-nat444-impacts.

>
>
>>>It's not a hard problem. There are yet plenty of IPv4 addresses to go
>>>around for all the people who actually care whether or not they're
>>>behind a NAT.
>>
>> I doubt that very much, and look forward to your analysis supporting
>>that
>> statement.
>
>If you have the data I'll be happy to crunch it but I'm afraid I'll
>have to leave the data collection to someone who is paid to do that
>very exhaustive work.

I don't have any data that might support your assertion, which is why I'm
calling you on it.

>
>Nevertheless, I'll be happy to document my assumptions and show you
>where they lead.
>
>I assume that fewer than 1 in 10 eyeballs would find Internet service
>behind a NAT unsatisfactory. Eyeballs are the consumers of content,
>the modem, cable modem, residential DSL customers. Some few of them
>are running game servers, web servers, etc. but 9 in 10 are the email,
>vonage and netflix variety who are basically not impacted by NAT.

Netflix seems to have some funny interactions with some gateways and CGN.
[nat444-impacts]
What about p2p?

>
>I assume that 75% or more of the IPv4 addresses which are employed in
>any use (not sitting idle) are employed by eyeball customers. Verizon
>Wireless has - remind me - how many /8's compared to, say, Google?

The same number: 0.
I don't know how many addresses VZW has, but I could look it up in Whois
if I knew the orgID.
How'd you get 75%?

>
>If you count from the explosion of interest in the Internet in 1995 to
>now, it took 18 years to consume all the IPv4 addresses. Call it
>consumption of 1/18th of the address space per year.

You're going with linear growth?  See nro.net/statistics.

>Is it more like 1 in 5 customers would cough up
>an extra $5 rather than use a NAT address? The nearest comparable
>would be your ratio of dynamic to static IP assignments. Does your
>data support that being higher than 1 in 10? I'd bet the broad data
>sets don't.

If an ISP is so close to running out of addresses that they need CGN,
let's say they have 1 year of addresses remaining.  Given how many ports
apps use, recommendations are running to 10:1 user:address (but I could
well imagine that increasing to 50:1).  That means that for every user you
NAT, you get 1/10 of an address.
Example:  An 10,000-user ISP is growing at 10% annually.  They have 1,000
addresses left, so they implement CGN.  You say to assuming 90% of them
can be NATted, so next year, 100 get a unique IPv4 address, the other 900
share 90 addresses.  At 190 addresses per year, CGN bought you five years.

I think your 90% is high.  If it's 70%, you burn 370 per year.
That doesn't include the fact the increased support costs, or alienated
customer cancellations, or any of the stuff I talked about in TCO of CGN.

Lee